See ya later, passwords

Google has announced that by the end of this year they plan to replace digital passwords with biometrics. Their “Trust API” will monitor things like location, typing patterns, speed and voice patterns, facial recognition, and more. “We have a phone, and these phones have all these sensors in them. Why couldn’t it just know who I was, so I don’t need a password? I should just be able to work,” Dan Kaufman, head of ATAP at Google, said at the company’s I/O conference in May.¹

It’s something consumers are clamoring for. According to new research, 80% of users who are open to biometric authentication think it’s more secure than traditional usernames or passwords.² And no wonder: Hackers can crack passwords faster than ever with modern graphics cards and easy-to-get data.

“Online sites are aware of these issues,” explains Jim Waldron, Senior Architect for Platform Security at HP, “and so some of them have increased the security by adding secret questions and answers like: ‘What is your mother’s maiden name?’ Unfortunately, much of this ‘private’ information can be legally purchased from online data aggregators.”

“At a very high level,” says Waldron, “what we need are new, more secure methods for users to identify themselves to online services—methods that are also easy for users to perform.” Enter biometrics—an industry that is projected to reach $21.9 billion by 2020.³

So what’s the Trust API?
It’s Google’s answer to biometrics, which was first introduced last year under the codename “Project Abacus.” The goal of Abacus is to kill passwords with a thousand tiny cuts: It combines several weaker indicators into proof of your identity.

Using sensors from your Android smartphone, the Trust API monitors your location—the way you type, the way you move (how you swipe your screen, for example) as well as voice and facial recognition. It then crunches that data and gives a “trust score”—a percentage of how likely you are who you say you are.

Not much more is known about the nuts and bolts of the Trust API, but we do know that Google is beta testing it with large financial institutions (some of the most security-conscious businesses out there). If all goes well, it will be available to Android developers and users by the end of the year. So what’s the big deal? Even though biometrics has been around for a while, this could be one of the largest pushes to the mainstream that it’s had (iOS thumbprint identification notwithstanding).

What else is going on in biometrics? (A lot.)

• MasterCard is testing an app that analyzes selfies to authorize online purchases.⁴ They’re also working with a third-party developer on a heartbeat-monitoring bracelet. Banks in Canada and Europe will be the first users to try it out.
• Wells-Fargo is investing heavily in iris-scanning technology for their banking app. (Banks are at the forefront of biometrics—makes sense, since they have so much to lose if a hack occurs.)
• We’ve heard about eyes before, but what about ears? Everyone’s ear canals are unique, and so is the way sound resonates within them. In March, Japan’s NEC Corporation announced a new technology that will capture sound-resonating data with special earbuds—with a 99% accuracy rate.
• Your gait, or the way you walk, can be analyzed with video cameras.⁵ At some point in the future the sensors in your smart phone will be able to measure it as well.

What are the risks?

• Bio-data theft. Passwords are inherently private, but your body parts are not. Hackers can take a photo of your face or swipe your fingerprint off a glass from a bar—then get full access to your phone. And once your bio-data is compromised, it’s gone—you can change your password, but you can’t change your iris scan.
• Constant monitoring. Are you comfortable with it? Sure, it’s OK if it allows safe access to your credit card—but other parties may eventually want to access that information as well.

How can it help your business?

• Increased registration. When customers are confident that their personal data is safe, they’re more likely to give it to you.
• Data and insights. You’ll learn a bit more about who your customers are and how you can best serve them.
• Better security. No one wants a data breach—least of all your business.

How can you get started?
If your business has an Android app (or even if it doesn’t), keep a close watch on the Trust ID updates. Chances are good that Google will offer some simple, useful solutions to whatever your current customer-facing security needs are. Internally, if your business is not ready to go full-bio yet, consider multi-factor identification, something HP offers on all Elite PCs. If you have an HP ElitePad, you can also add on a security jacket, which has integrated fingerprint and smartcard readers to prevent unauthorized access to data.

 

 

[1] The Verge, Google could replace some passwords with a ‘trust score’ by the end of the year
[2] Gigya, New Survey: Businesses Should Begin Preparing for the Death of the Password
[3] Chicago Tribune, Global Biometrics Market is Projected to Touch $21.9 Billion by 2020
[4] CNN, MasterCard launching selfie payments
[5] New Scientist, Cameras know you by your walk

used with permission from HP Technology at Work